]>
Commit | Line | Data |
---|---|---|
2a9721f1 SH |
1 | .TH IP\-XFRM 8 "20 Dec 2011" "iproute2" "Linux" |
2 | .SH "NAME" | |
aab2702d | 3 | ip-xfrm \- transform configuration |
2a9721f1 SH |
4 | .SH "SYNOPSIS" |
5 | .sp | |
6 | .ad l | |
7 | .in +8 | |
8 | .ti -8 | |
9 | .B ip | |
10 | .RI "[ " OPTIONS " ]" | |
11 | .B xfrm | |
12 | .RI " { " COMMAND " | " | |
13 | .BR help " }" | |
14 | .sp | |
15 | ||
16 | .ti -8 | |
17 | .B "ip xfrm" | |
18 | .IR XFRM-OBJECT " { " COMMAND " | " | |
19 | .BR help " }" | |
20 | .sp | |
21 | ||
22 | .ti -8 | |
23 | .IR XFRM-OBJECT " :=" | |
24 | .BR state " | " policy " | " monitor | |
25 | .sp | |
26 | ||
27 | .ti -8 | |
28 | .BR "ip xfrm state" " { " add " | " update " } " | |
29 | .IR ID " [ " ALGO-LIST " ]" | |
30 | .RB "[ " mode | |
31 | .IR MODE " ]" | |
32 | .RB "[ " mark | |
33 | .I MARK | |
34 | .RB "[ " mask | |
35 | .IR MASK " ] ]" | |
36 | .RB "[ " reqid | |
37 | .IR REQID " ]" | |
38 | .RB "[ " seq | |
39 | .IR SEQ " ]" | |
40 | .RB "[ " replay-window | |
41 | .IR SIZE " ]" | |
42 | .RB "[ " replay-seq | |
43 | .IR SEQ " ]" | |
44 | .RB "[ " replay-oseq | |
45 | .IR SEQ " ]" | |
46 | .RB "[ " flag | |
47 | .IR FLAG-LIST " ]" | |
48 | .RB "[ " sel | |
49 | .IR SELECTOR " ] [ " LIMIT-LIST " ]" | |
50 | .RB "[ " encap | |
51 | .IR ENCAP " ]" | |
52 | .RB "[ " coa | |
53 | .IR ADDR "[/" PLEN "] ]" | |
54 | .RB "[ " ctx | |
55 | .IR CTX " ]" | |
56 | ||
57 | .ti -8 | |
58 | .B "ip xfrm state allocspi" | |
59 | .I ID | |
60 | .RB "[ " mode | |
61 | .IR MODE " ]" | |
62 | .RB "[ " mark | |
63 | .I MARK | |
64 | .RB "[ " mask | |
65 | .IR MASK " ] ]" | |
66 | .RB "[ " reqid | |
67 | .IR REQID " ]" | |
68 | .RB "[ " seq | |
69 | .IR SEQ " ]" | |
70 | .RB "[ " min | |
71 | .I SPI | |
72 | .B max | |
73 | .IR SPI " ]" | |
74 | ||
75 | .ti -8 | |
76 | .BR "ip xfrm state" " { " delete " | " get " } " | |
77 | .I ID | |
78 | .RB "[ " mark | |
79 | .I MARK | |
80 | .RB "[ " mask | |
81 | .IR MASK " ] ]" | |
82 | ||
83 | .ti -8 | |
84 | .BR "ip xfrm state" " { " deleteall " | " list " } [" | |
85 | .IR ID " ]" | |
86 | .RB "[ " mode | |
87 | .IR MODE " ]" | |
88 | .RB "[ " reqid | |
89 | .IR REQID " ]" | |
90 | .RB "[ " flag | |
91 | .IR FLAG-LIST " ]" | |
92 | ||
93 | .ti -8 | |
94 | .BR "ip xfrm state flush" " [ " proto | |
95 | .IR XFRM-PROTO " ]" | |
96 | ||
97 | .ti -8 | |
98 | .BR "ip xfrm state count" | |
99 | ||
100 | .ti -8 | |
101 | .IR ID " :=" | |
102 | .RB "[ " src | |
103 | .IR ADDR " ]" | |
104 | .RB "[ " dst | |
105 | .IR ADDR " ]" | |
106 | .RB "[ " proto | |
107 | .IR XFRM-PROTO " ]" | |
108 | .RB "[ " spi | |
109 | .IR SPI " ]" | |
110 | ||
111 | .ti -8 | |
112 | .IR XFRM-PROTO " :=" | |
113 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
114 | ||
115 | .ti -8 | |
116 | .IR ALGO-LIST " := [ " ALGO-LIST " ] " ALGO | |
117 | ||
118 | .ti -8 | |
119 | .IR ALGO " :=" | |
f3b9aa3d | 120 | .RB "{ " enc " | " auth " } " |
29665f92 | 121 | .IR ALGO-NAME " " ALGO-KEYMAT " |" |
2a9721f1 | 122 | .br |
2a9721f1 | 123 | .B auth-trunc |
29665f92 | 124 | .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-TRUNC-LEN " |" |
f3b9aa3d DW |
125 | .br |
126 | .B aead | |
29665f92 | 127 | .IR ALGO-NAME " " ALGO-KEYMAT " " ALGO-ICV-LEN " |" |
f3b9aa3d DW |
128 | .br |
129 | .B comp | |
130 | .IR ALGO-NAME | |
2a9721f1 SH |
131 | |
132 | .ti -8 | |
133 | .IR MODE " := " | |
29665f92 | 134 | .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger |
2a9721f1 SH |
135 | |
136 | .ti -8 | |
137 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
138 | ||
139 | .ti -8 | |
140 | .IR FLAG " :=" | |
141 | .BR noecn " | " decap-dscp " | " nopmtudisc " | " wildrecv " | " icmp " | " af-unspec " | " align4 | |
142 | ||
143 | .ti -8 | |
144 | .IR SELECTOR " :=" | |
145 | .RB "[ " src | |
146 | .IR ADDR "[/" PLEN "] ]" | |
147 | .RB "[ " dst | |
148 | .IR ADDR "[/" PLEN "] ]" | |
149 | .RB "[ " dev | |
150 | .IR DEV " ]" | |
151 | .br | |
152 | .RI "[ " UPSPEC " ]" | |
153 | ||
154 | .ti -8 | |
155 | .IR UPSPEC " := " | |
156 | .BR proto " {" | |
157 | .IR PROTO " |" | |
158 | .br | |
159 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
160 | .IR PORT " ]" | |
161 | .RB "[ " dport | |
162 | .IR PORT " ] |" | |
163 | .br | |
164 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
165 | .IR NUMBER " ]" | |
166 | .RB "[ " code | |
167 | .IR NUMBER " ] |" | |
168 | .br | |
169 | .BR gre " [ " key | |
170 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
171 | ||
172 | .ti -8 | |
173 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
174 | .B limit | |
175 | .I LIMIT | |
176 | ||
177 | .ti -8 | |
178 | .IR LIMIT " :=" | |
179 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
180 | .IR "SECONDS" " |" | |
181 | .br | |
182 | .RB "{ " byte-soft " | " byte-hard " }" | |
183 | .IR SIZE " |" | |
184 | .br | |
185 | .RB "{ " packet-soft " | " packet-hard " }" | |
186 | .I COUNT | |
187 | ||
188 | .ti -8 | |
189 | .IR ENCAP " :=" | |
190 | .RB "{ " espinudp " | " espinudp-nonike " }" | |
191 | .IR SPORT " " DPORT " " OADDR | |
192 | ||
193 | .ti -8 | |
194 | .BR "ip xfrm policy" " { " add " | " update " }" | |
195 | .I SELECTOR | |
196 | .B dir | |
197 | .I DIR | |
198 | .RB "[ " ctx | |
199 | .IR CTX " ]" | |
200 | .RB "[ " mark | |
201 | .I MARK | |
202 | .RB "[ " mask | |
203 | .IR MASK " ] ]" | |
204 | .RB "[ " index | |
205 | .IR INDEX " ]" | |
206 | .RB "[ " ptype | |
207 | .IR PTYPE " ]" | |
208 | .RB "[ " action | |
209 | .IR ACTION " ]" | |
210 | .RB "[ " priority | |
211 | .IR PRIORITY " ]" | |
212 | .RB "[ " flag | |
213 | .IR FLAG-LIST " ]" | |
214 | .RI "[ " LIMIT-LIST " ] [ " TMPL-LIST " ]" | |
215 | ||
216 | .ti -8 | |
217 | .BR "ip xfrm policy" " { " delete " | " get " }" | |
218 | .RI "{ " SELECTOR " | " | |
219 | .B index | |
220 | .IR INDEX " }" | |
221 | .B dir | |
222 | .I DIR | |
223 | .RB "[ " ctx | |
224 | .IR CTX " ]" | |
225 | .RB "[ " mark | |
226 | .I MARK | |
227 | .RB "[ " mask | |
228 | .IR MASK " ] ]" | |
229 | .RB "[ " ptype | |
230 | .IR PTYPE " ]" | |
231 | ||
232 | .ti -8 | |
233 | .BR "ip xfrm policy" " { " deleteall " | " list " }" | |
234 | .RI "[ " SELECTOR " ]" | |
235 | .RB "[ " dir | |
236 | .IR DIR " ]" | |
237 | .RB "[ " index | |
238 | .IR INDEX " ]" | |
239 | .RB "[ " ptype | |
240 | .IR PTYPE " ]" | |
241 | .RB "[ " action | |
242 | .IR ACTION " ]" | |
243 | .RB "[ " priority | |
244 | .IR PRIORITY " ]" | |
245 | ||
246 | .ti -8 | |
247 | .B "ip xfrm policy flush" | |
248 | .RB "[ " ptype | |
249 | .IR PTYPE " ]" | |
250 | ||
251 | .ti -8 | |
252 | .B "ip xfrm policy count" | |
253 | ||
254 | .ti -8 | |
255 | .IR SELECTOR " :=" | |
256 | .RB "[ " src | |
257 | .IR ADDR "[/" PLEN "] ]" | |
258 | .RB "[ " dst | |
259 | .IR ADDR "[/" PLEN "] ]" | |
260 | .RB "[ " dev | |
261 | .IR DEV " ]" | |
262 | .RI "[ " UPSPEC " ]" | |
263 | ||
264 | .ti -8 | |
265 | .IR UPSPEC " := " | |
266 | .BR proto " {" | |
267 | .IR PROTO " |" | |
268 | .br | |
269 | .RB "{ " tcp " | " udp " | " sctp " | " dccp " } [ " sport | |
270 | .IR PORT " ]" | |
271 | .RB "[ " dport | |
272 | .IR PORT " ] |" | |
273 | .br | |
274 | .RB "{ " icmp " | " ipv6-icmp " | " mobility-header " } [ " type | |
275 | .IR NUMBER " ]" | |
276 | .RB "[ " code | |
277 | .IR NUMBER " ] |" | |
278 | .br | |
279 | .BR gre " [ " key | |
280 | .RI "{ " DOTTED-QUAD " | " NUMBER " } ] }" | |
281 | ||
282 | .ti -8 | |
283 | .IR DIR " := " | |
284 | .BR in " | " out " | " fwd | |
285 | ||
286 | .ti -8 | |
287 | .IR PTYPE " := " | |
288 | .BR main " | " sub | |
289 | ||
290 | .ti -8 | |
291 | .IR ACTION " := " | |
292 | .BR allow " | " block | |
293 | ||
294 | .ti -8 | |
295 | .IR FLAG-LIST " := [ " FLAG-LIST " ] " FLAG | |
296 | ||
297 | .ti -8 | |
298 | .IR FLAG " :=" | |
299 | .BR localok " | " icmp | |
300 | ||
301 | .ti -8 | |
302 | .IR LIMIT-LIST " := [ " LIMIT-LIST " ]" | |
303 | .B limit | |
304 | .I LIMIT | |
305 | ||
306 | .ti -8 | |
307 | .IR LIMIT " :=" | |
308 | .RB "{ " time-soft " | " time-hard " | " time-use-soft " | " time-use-hard " }" | |
309 | .IR "SECONDS" " |" | |
310 | .br | |
311 | .RB "{ " byte-soft " | " byte-hard " }" | |
312 | .IR SIZE " |" | |
313 | .br | |
314 | .RB "{ " packet-soft " | " packet-hard " }" | |
315 | .I COUNT | |
316 | ||
317 | .ti -8 | |
318 | .IR TMPL-LIST " := [ " TMPL-LIST " ]" | |
319 | .B tmpl | |
320 | .I TMPL | |
321 | ||
322 | .ti -8 | |
323 | .IR TMPL " := " ID | |
324 | .RB "[ " mode | |
325 | .IR MODE " ]" | |
326 | .RB "[ " reqid | |
327 | .IR REQID " ]" | |
328 | .RB "[ " level | |
329 | .IR LEVEL " ]" | |
330 | ||
331 | .ti -8 | |
332 | .IR ID " :=" | |
333 | .RB "[ " src | |
334 | .IR ADDR " ]" | |
335 | .RB "[ " dst | |
336 | .IR ADDR " ]" | |
337 | .RB "[ " proto | |
338 | .IR XFRM-PROTO " ]" | |
339 | .RB "[ " spi | |
340 | .IR SPI " ]" | |
341 | ||
342 | .ti -8 | |
343 | .IR XFRM-PROTO " :=" | |
344 | .BR esp " | " ah " | " comp " | " route2 " | " hao | |
345 | ||
346 | .ti -8 | |
347 | .IR MODE " := " | |
29665f92 | 348 | .BR transport " | " tunnel " | " beet " | " ro " | " in_trigger |
2a9721f1 SH |
349 | |
350 | .ti -8 | |
351 | .IR LEVEL " :=" | |
352 | .BR required " | " use | |
353 | ||
354 | .ti -8 | |
355 | .BR "ip xfrm monitor" " [ " all " |" | |
356 | .IR LISTofXFRM-OBJECTS " ]" | |
357 | ||
358 | .in -8 | |
359 | .ad b | |
360 | ||
361 | .SH DESCRIPTION | |
362 | ||
363 | xfrm is an IP framework for transforming packets (such as encrypting | |
364 | their payloads). This framework is used to implement the IPsec protocol | |
365 | suite (with the | |
366 | .B state | |
367 | object operating on the Security Association Database, and the | |
368 | .B policy | |
369 | object operating on the Security Policy Database). It is also used for | |
370 | the IP Payload Compression Protocol and features of Mobile IPv6. | |
371 | ||
372 | .SS ip xfrm state add - add new state into xfrm | |
373 | ||
374 | .SS ip xfrm state update - update existing state in xfrm | |
375 | ||
376 | .SS ip xfrm state allocspi - allocate an SPI value | |
377 | ||
378 | .SS ip xfrm state delete - delete existing state in xfrm | |
379 | ||
380 | .SS ip xfrm state get - get existing state in xfrm | |
381 | ||
382 | .SS ip xfrm state deleteall - delete all existing state in xfrm | |
383 | ||
384 | .SS ip xfrm state list - print out the list of existing state in xfrm | |
385 | ||
386 | .SS ip xfrm state flush - flush all state in xfrm | |
387 | ||
388 | .SS ip xfrm state count - count all existing state in xfrm | |
389 | ||
390 | .TP | |
391 | .IR ID | |
392 | is specified by a source address, destination address, | |
393 | .RI "transform protocol " XFRM-PROTO "," | |
394 | and/or Security Parameter Index | |
395 | .IR SPI "." | |
29665f92 DW |
396 | (For IP Payload Compression, the Compression Parameter Index or CPI is used for |
397 | .IR SPI ".)" | |
2a9721f1 SH |
398 | |
399 | .TP | |
400 | .I XFRM-PROTO | |
401 | specifies a transform protocol: | |
402 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
403 | .RB "IPsec Authentication Header (" ah ")," | |
404 | .RB "IP Payload Compression (" comp ")," | |
405 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
406 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
407 | ||
408 | .TP | |
409 | .I ALGO-LIST | |
29665f92 DW |
410 | contains one or more algorithms to use. Each algorithm |
411 | .I ALGO | |
412 | is specified by: | |
413 | .RS | |
414 | .IP \[bu] | |
415 | the algorithm type: | |
2a9721f1 | 416 | .RB "encryption (" enc ")," |
29665f92 DW |
417 | .RB "authentication (" auth " or " auth-trunc ")," |
418 | .RB "authenticated encryption with associated data (" aead "), or" | |
419 | .RB "compression (" comp ")" | |
420 | .IP \[bu] | |
421 | the algorithm name | |
422 | .IR ALGO-NAME | |
423 | (see below) | |
424 | .IP \[bu] | |
425 | .RB "(for all except " comp ")" | |
426 | the keying material | |
427 | .IR ALGO-KEYMAT "," | |
428 | which may include both a key and a salt or nonce value; refer to the | |
429 | corresponding RFC | |
430 | .IP \[bu] | |
431 | .RB "(for " auth-trunc " only)" | |
432 | the truncation length | |
433 | .I ALGO-TRUNC-LEN | |
434 | in bits | |
435 | .IP \[bu] | |
436 | .RB "(for " aead " only)" | |
2a9721f1 SH |
437 | the Integrity Check Value length |
438 | .I ALGO-ICV-LEN | |
29665f92 DW |
439 | in bits |
440 | .RE | |
441 | ||
442 | .nh | |
443 | .RS | |
444 | Encryption algorithms include | |
445 | .BR ecb(cipher_null) ", " cbc(des) ", " cbc(des3_ede) ", " cbc(cast5) "," | |
446 | .BR cbc(blowfish) ", " cbc(aes) ", " cbc(serpent) ", " cbc(camellia) "," | |
447 | .BR cbc(twofish) ", and " rfc3686(ctr(aes)) "." | |
448 | ||
449 | Authentication algorithms include | |
450 | .BR digest_null ", " hmac(md5) ", " hmac(sha1) ", " hmac(sha256) "," | |
451 | .BR hmac(sha384) ", " hmac(sha512) ", " hmac(rmd610) ", and " xcbc(aes) "." | |
452 | ||
453 | Authenticated encryption with associated data (AEAD) algorithms include | |
454 | .BR rfc4106(gcm(aes)) ", " rfc4309(ccm(aes)) ", and " rfc4543(gcm(aes)) "." | |
455 | ||
456 | Compression algorithms include | |
457 | .BR deflate ", " lzs ", and " lzjh "." | |
458 | .RE | |
459 | .hy | |
2a9721f1 SH |
460 | |
461 | .TP | |
462 | .I MODE | |
29665f92 DW |
463 | specifies a mode of operation for the transform protocol. IPsec and IP Payload |
464 | Compression modes are | |
465 | .BR transport ", " tunnel "," | |
466 | and (for IPsec ESP only) Bound End-to-End Tunnel | |
467 | .RB "(" beet ")." | |
468 | Mobile IPv6 modes are route optimization | |
469 | .RB "(" ro ")" | |
470 | and inbound trigger | |
471 | .RB "(" in_trigger ")." | |
2a9721f1 SH |
472 | |
473 | .TP | |
474 | .I FLAG-LIST | |
475 | contains one or more of the following optional flags: | |
476 | .BR noecn ", " decap-dscp ", " nopmtudisc ", " wildrecv ", " icmp ", " | |
477 | .BR af-unspec ", or " align4 "." | |
478 | ||
479 | .TP | |
480 | .IR SELECTOR | |
481 | selects the traffic that will be controlled by the policy, based on the source | |
482 | address, the destination address, the network device, and/or | |
483 | .IR UPSPEC "." | |
484 | ||
485 | .TP | |
486 | .IR UPSPEC | |
487 | selects traffic by protocol. For the | |
488 | .BR tcp ", " udp ", " sctp ", or " dccp | |
489 | protocols, the source and destination port can optionally be specified. | |
490 | For the | |
491 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
492 | protocols, the type and code numbers can optionally be specified. | |
493 | For the | |
494 | .B gre | |
495 | protocol, the key can optionally be specified as a dotted-quad or number. | |
496 | Other protocols can be selected by name or number | |
497 | .IR PROTO "." | |
498 | ||
499 | .TP | |
500 | .I LIMIT-LIST | |
501 | sets limits in seconds, bytes, or numbers of packets. | |
502 | ||
503 | .TP | |
504 | .I ENCAP | |
505 | encapsulates packets with protocol | |
506 | .BR espinudp " or " espinudp-nonike "," | |
507 | .RI "using source port " SPORT ", destination port " DPORT | |
508 | .RI ", and original address " OADDR "." | |
509 | ||
510 | .SS ip xfrm policy add - add a new policy | |
511 | ||
512 | .SS ip xfrm policy update - update an existing policy | |
513 | ||
514 | .SS ip xfrm policy delete - delete an existing policy | |
515 | ||
516 | .SS ip xfrm policy get - get an existing policy | |
517 | ||
518 | .SS ip xfrm policy deleteall - delete all existing xfrm policies | |
519 | ||
520 | .SS ip xfrm policy list - print out the list of xfrm policies | |
521 | ||
522 | .SS ip xfrm policy flush - flush policies | |
523 | ||
524 | .SS ip xfrm policy count - count existing policies | |
525 | ||
526 | .TP | |
527 | .IR SELECTOR | |
528 | selects the traffic that will be controlled by the policy, based on the source | |
529 | address, the destination address, the network device, and/or | |
530 | .IR UPSPEC "." | |
531 | ||
532 | .TP | |
533 | .IR UPSPEC | |
534 | selects traffic by protocol. For the | |
535 | .BR tcp ", " udp ", " sctp ", or " dccp | |
536 | protocols, the source and destination port can optionally be specified. | |
537 | For the | |
538 | .BR icmp ", " ipv6-icmp ", or " mobility-header | |
539 | protocols, the type and code numbers can optionally be specified. | |
540 | For the | |
541 | .B gre | |
542 | protocol, the key can optionally be specified as a dotted-quad or number. | |
543 | Other protocols can be selected by name or number | |
544 | .IR PROTO "." | |
545 | ||
546 | .TP | |
547 | .I DIR | |
548 | selects the policy direction as | |
549 | .BR in ", " out ", or " fwd "." | |
550 | ||
551 | .TP | |
552 | .I CTX | |
553 | sets the security context. | |
554 | ||
555 | .TP | |
556 | .I PTYPE | |
557 | can be | |
558 | .BR main " (default) or " sub "." | |
559 | ||
560 | .TP | |
561 | .I ACTION | |
562 | can be | |
563 | .BR allow " (default) or " block "." | |
564 | ||
565 | .TP | |
566 | .I PRIORITY | |
567 | is a number that defaults to zero. | |
568 | ||
569 | .TP | |
570 | .I FLAG-LIST | |
571 | contains one or both of the following optional flags: | |
572 | .BR local " or " icmp "." | |
573 | ||
574 | .TP | |
575 | .I LIMIT-LIST | |
576 | sets limits in seconds, bytes, or numbers of packets. | |
577 | ||
578 | .TP | |
579 | .I TMPL-LIST | |
580 | is a template list specified using | |
581 | .IR ID ", " MODE ", " REQID ", and/or " LEVEL ". " | |
582 | ||
583 | .TP | |
584 | .IR ID | |
585 | is specified by a source address, destination address, | |
586 | .RI "transform protocol " XFRM-PROTO "," | |
587 | and/or Security Parameter Index | |
588 | .IR SPI "." | |
29665f92 DW |
589 | (For IP Payload Compression, the Compression Parameter Index or CPI is used for |
590 | .IR SPI ".)" | |
2a9721f1 SH |
591 | |
592 | .TP | |
593 | .I XFRM-PROTO | |
594 | specifies a transform protocol: | |
595 | .RB "IPsec Encapsulating Security Payload (" esp ")," | |
596 | .RB "IPsec Authentication Header (" ah ")," | |
597 | .RB "IP Payload Compression (" comp ")," | |
598 | .RB "Mobile IPv6 Type 2 Routing Header (" route2 "), or" | |
599 | .RB "Mobile IPv6 Home Address Option (" hao ")." | |
600 | ||
601 | .TP | |
602 | .I MODE | |
29665f92 DW |
603 | specifies a mode of operation for the transform protocol. IPsec and IP Payload |
604 | Compression modes are | |
605 | .BR transport ", " tunnel "," | |
606 | and (for IPsec ESP only) Bound End-to-End Tunnel | |
607 | .RB "(" beet ")." | |
608 | Mobile IPv6 modes are route optimization | |
609 | .RB "(" ro ")" | |
610 | and inbound trigger | |
611 | .RB "(" in_trigger ")." | |
2a9721f1 SH |
612 | |
613 | .TP | |
614 | .I LEVEL | |
615 | can be | |
616 | .BR required " (default) or " use "." | |
617 | ||
618 | .SS ip xfrm monitor - state monitoring for xfrm objects | |
619 | The xfrm objects to monitor can be optionally specified. | |
620 | ||
621 | .SH AUTHOR | |
29665f92 | 622 | Manpage revised by David Ward <david.ward@ll.mit.edu> |